On 01/11/2012 05:04 AM, Les Mikesell wrote:
On Tue, Jan 10, 2012 at 1:46 PM, Daniel J Walshdwalsh@redhat.com wrote:
On Tue, Jan 10, 2012 at 7:47 AM, Daniel J Walsh
dwalsh@redhat.com wrote:
Now if only more people used RHEL we could further enhance the products. :^)
Why isn't it accepted as more of a standard?
I don't understand the question.
Why is it vendor-specific to RHEL?
I was talking Money not vendor specific. The question meant as a jab was if more people used RHEL instead of Centos, we could pay more developers. I thought the @redhat.com would signify why I would want that. :^)
OK, I can understand why you would want that. I don't understand why you think anyone else would want even more nonstandard variations in linux distributions. And if this isn't intended to be vendor-specific, why isn't it an independent upstream project or included in the kernel?
The logical code to SELinux isn't specific to RH, not by a long shot. (Of course, RH may wind up doing some way un-Unixy/very-vendor-specific things in the near future, but that has nothing to do with SELinux) http://userspace.selinuxproject.org/trac http://www.gentoo.org/proj/en/hardened/selinux/ https://wiki.ubuntu.com/SELinux ...
But the difficult thing about SELinux isn't how it works, its the detail required for each policy to wrap each program up correctly without denying useful functionality in the process, not to mention deploying them with packages, and dealing with the whole new universe of inaccurate bug reports SELinux has spawned...
*That* is very hard -- and that is what Red Hat has been so good about over the last while. In the process Fedora has spawned a slew of new tools to make SELinux policy easier to deal with -- and in the process of doing that Fedora acquired/affirmed its reputation for eating babies.
SElinux exists all over the place, and there are binaries for it in nearly every distro -- but nearly everyone has decided that "its too hard" so its just a set of accessory packages almost nobody installs, and if installed not activated, and if activated quickly de-activated (the #1 web server "fix your frustrations on the web" advice for noobs is still "disable SELinux, it sux").
Honestly, though, at this point the tools really are there. A packager that wants to publish an SELinux policy with his package finds it easy if the tools are understood -- what is really lacking now is just a very public, beginner-friendly introduction to the core concepts of SELinux which includes a nice intro to the somewhat arbitrary jargon that surrounds access policy concepts.
Minds are very slowly changing and I am beginning to see a lot more functionality in non-Fedora-derived distros, but it takes a long time to turn the tide several years' worth of mailing archive, newsgroup, blog and forum advice *against* learning SELinux and turning it off instead -- and of course the biggest problem with that advice for those new to SELinux is that often it produces instant gratification.